fix(auth): use standard 'Unauthorized' error in hybrid auth responses

[waleedlatif1]

Summary

• Replace verbose auth error messages ("provide session, API key, or internal JWT") with standard "Unauthorized" in hybrid auth
• Aligns with the rest of the codebase's 401 responses

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[cursor]

PR Summary

Low Risk
Low risk: this only changes error strings returned when no session/JWT/API key auth is present, without altering validation logic or access control behavior.

Overview
Standardizes unauthenticated responses in checkSessionOrInternalAuth and checkHybridAuth by replacing the previous verbose "authentication required" messages with a consistent Unauthorized error string.

^{Written by Cursor Bugbot for commit fa62e38. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 30, 2026 11:10pm

[greptile-apps]

Greptile Summary

This PR standardizes the 401 error messages in apps/sim/lib/auth/hybrid.ts by replacing two verbose, implementation-detail-leaking strings ("Authentication required - provide session or internal JWT" and "Authentication required - provide session, API key, or internal JWT") with the terse "Unauthorized" used consistently throughout the rest of the codebase.

• Affected functions: checkSessionOrInternalAuth (line 157) and checkHybridAuth (line 228)
• No logic, control-flow, or interface changes — purely cosmetic/messaging
• No callers compare the error string value; they pass it through to HTTP responses (e.g. auth.error || 'Unauthorized'), so the change is safe
• Reduces information leakage by not advertising available authentication mechanisms to unauthenticated callers

Confidence Score: 5/5

• Safe to merge — purely a string change with no logic impact and positive security implications.
• The change is two string literals in error paths. No caller checks the specific error text; all downstream consumers either log it or pass it through as a response body. The new value "Unauthorized" already appears as the fallback in many call sites, making this strictly consistent. No risk of breakage.
• No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/auth/hybrid.ts	Replaces two verbose error message strings with the standard "Unauthorized" in checkSessionOrInternalAuth and checkHybridAuth; no logic changes, aligns with the rest of the codebase.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Incoming Request] --> B{Bearer token present?}
    B -- Yes --> C[verifyInternalToken]
    C -- Valid --> D[Return success: INTERNAL_JWT]
    C -- Invalid --> E[Try session]
    B -- No --> E
    E --> F{Session found?}
    F -- Yes --> G[Return success: SESSION]
    F -- No --> H{checkHybridAuth only: x-api-key header?}
    H -- Yes --> I[authenticateApiKeyFromHeader]
    I -- Valid --> J[Return success: API_KEY]
    I -- Invalid --> K["Return { success: false, error: 'Invalid API key' }"]
    H -- No --> L["Return { success: false, error: 'Unauthorized' }"]

Loading

_{Reviews (1): Last reviewed commit: "fix(auth): use standard 'Unauthorized' e..." | Re-trigger Greptile}